Snort mailing list archives
Re: Content matching question
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 20 Jan 2014 13:22:08 -0700
On 2014-01-20 10:58, James Lay wrote:
Hey all, So....I'm trying to figure out how to really NOT match certain content, but match if the data size is longer then expected. Example: I have a packet where the usual data size is say 20 bytes and contains the word "bleh". I know I can content:!"bleh" and away I go. But say that packet is 30 bytes? That I'd like to see, regardless if it has the content "bleh" or not. What are my options? Byte_test? It's not http, so any options with that were out. Thanks for any guidance. James
Turns out dsize was just what I needed: dsize:>300 YAY..thanks all. James ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Content matching question James Lay (Jan 20)
- Re: Content matching question Joel Esler (jesler) (Jan 20)
- Re: Content matching question James Lay (Jan 20)
- Re: Content matching question James Lay (Jan 20)
- Re: Content matching question Joel Esler (jesler) (Jan 20)